Wednesday, April 4, 2018

NW3C DFIR Jobs


The National White Collar Crime Center (NW3C) has the following job positions open for application:

  • High-Tech Program Manager
  • High-Tech Crime Liaison 
  • High-Tech Crime Specialist 
  • Cyber Security Specialist 
  • High-Tech Crime Administrative Assistant 
  • High-Tech Crime Instructor
You can find the position descriptions on the NW3C website at https://www.nw3c.org/about/careers

Saturday, March 31, 2018

2018 National Cyber Crime Conference

Just a quick blog post to let people know that I'll be speaking at the 2018 National Cyber Crime Conference in Boston next month. I'll be doing multiple sessions on virtual currency which has been one of my favorite computer crime related topics these days. 

I have quite a few more speaking engagements in the works this year and I think they're all going to be virtually currency related based on what I'm seeing so far.  Everyone is trying to get caught up on this in the law enforcement world and I'm fortunate enough to have a background in law enforcement, digital forensics, and economic crime so I've been well positioned to tackle this topic.

I also have a couple AFoD blog interviews underway now that the readership metrics are back enough to where I can justify someone spending the time doing one with me.

Lastly, I'm still working on the next installation of the Life After Law Enforcement series which I'm hoping to get out in the next month or so.

Sunday, March 4, 2018

Life After Law Enforcement: Life In The Fast Lane


The first part of our Life After Law Enforcement series talked about the decision to leave. In this installment, I’ll compare and contrast life in the consulting world versus the corporate world. Before I do that, however, it’s important to discuss a couple concepts that drive the differences between life in the public sector and the private sector.

One of the biggest differences is there is virtually no unionization in the private digital forensics world. At least here in the United States, most law enforcement jobs are going to be unionized civil service positions.  This means that the relationship between the government entity and the employee is doing to be defined by a collective bargaining agreement. Even if an officer isn’t covered under a collective bargaining agreement, they’re almost certainly going to be under some sort of civil service type protection.

This means that there is much more job security compared to the private world in that you can be thoroughly mediocre, but unless you are really screwing up in a well-documented way, you get to keep your job. It also means that your compensation is largely just a function of how long you’ve managed to stick around rather than how much value you add to the organization.

Not so much in the private sector, where your job security and compensation will be primarily a function of the value that you provide your employer rather than how long you’ve managed to go without egregiously screwing up.  You’ll certainly see your fair share of mediocre people in the private sector, but they tend to have stagnant career paths and they’re the first people out the door when a re-organization comes or revenues are down. Since collective bargaining and civil service generally aren’t in play in the private digital forensics world, your relationship with your employer is going to be individual rather than collective and revolves around the value you provide. 

This is very good news for people who are motivated and want to excel. One of the reasons I left law enforcement early in my career is that I recognized that no matter how good I was at my job, my career path and compensation would largely be a function of time rather than talent.  This is very bad news for someone who just wants to do the minimum and punch a clock.

Another important difference is that many private sector digital forensics jobs will put you in the position where you are a necessary evil to the organization rather than someone driving the primary mission of the organization.  Law enforcement agencies are put upon this earth to put bad people behind bars.  Whether it’s a police officer in patrol car arresting baddies or a digital forensics detective putting some evil wretch in prison until shortly after mammals are extinct because of something they did to some child, police officers are primary people advancing the goal of that agency. 

In the private sector, unless you are in a consulting type position, digital forensics people are a necessary evil to an organization and are the dreaded indirect spend. Direct spend is spending that is aligned with delivering a product or service to a customer. Indirect spend is everything else.  Spending money to create and staff a manufacturing line to build cars that are then sold to customers is direct spend. Spending money on information security people to keep that manufacturing line from getting hacked and stopped is indirect spend.  Indirect spend is important to an organization, but it’s a big fat juicy target for cutting costs and increasing profits. The closer you are to impacting the profit and loss of an organization, the more important you are. The more important you are to an organization, the more you will be paid, the better your promotion chances, and the better your job security.

There are some similarities in that large bureaucracies whether they are public or private tend to follow the late Jerry Pournelle’s Iron Law of Bureaucracy more often than anyone would like to admit. I’ll just quote directly from the Jerry Pournelle website when it comes to explaining this:  

Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":

 First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.

Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.

The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.

The good news is that this isn’t as universal as the name Iron Law would imply.  I’ve worked for organizations where the first group of people ran the show and the health, effectiveness, and morale of the organization reflected that. The organization I work for right now is one where the Iron Law doesn’t even remotely apply, but I’ve gotten to know the Iron Law of Bureaucracy all too well during various periods of my career.

Let’s add another common element in private sector life into all of this and that’s organizational change.  I’ve long since lost track of how many reorganizations I’ve lived through in the private sector, but it’s a constant part of life in large private organizations.  About the time you get comfortable with an organizational structure, someone will come along and blow it up.  Change is such a constant in the private sector that top business schools like can demand wheelbarrows of cash offering training in organizational change management.

One of the primary drivers of organizational change are changing business conditions.  Markets are dynamic so organizations have to adjust their products, services, and how they operate to adjust to changing market conditions.  As organizations change, the security portion of the organizations have to change to continue to securely enable business operations.  Security leaders who can’t manage change and keep up with the business leaders don’t last very long.  And when they get whacked you can expect another reorganization.

This brings up another potential driver of organizational change and that’s the Ides of March.  Politics are part of any organization whether they are public or private, but in the private sector, the stakes can be very high because of the amount of money involved especially if an organization is highly profitable.  There is quite a bit of careerism in the private world.  I define a careerist as someone who puts their own career goals ahead of the needs of the organization or their people. They’re an odious fact of life in the private sector.  They exist in the public sector, but union rules and civil service protections blunt the impact that they can have on individuals in an organization.

Executive political life can be pretty…staby in the private sector, but the rewards can be great especially when you factor in that successful security executives in large organizations can make over a million dollars a year in compensation. In many cases, you will have reorganizations that have no real functional purpose, but have everything to do with palace intrigue and who got knifed on some senate steps.

So why am I telling you this? Because with change comes both peril and opportunity. If you play your cards right in knowing how to obtain and retain power in organizations, there could be new opportunities during a reorganization to advance your career as new teams are created, new positions are created, or even more money floating around for things like training or tuition assistance.  In security organizations, one of the best times for funding can be after a major breach when the senior executives (and they may be the new ones that just replaced the now fired ones) are scared straight and start throwing immense amounts of money at the security organization.

Power in organizations translates not only to career progression and increased rewards, but also to survival. While you certainly can gain power by moving up the organizational ladder and increasing your influence and responsibilities, you can also gain power by the value you add to an organization through your individual abilities.  Some of the most powerful people in a security organization are the individual contributors who have skills that are mission critical and hard to replace. 

The more value you add to an organization, the more power you have to influence things around you, the greater your rewards, and the less you have to worry about job security. The less valuable you are to an organization, the less power that you have which harms your ability to change things around you, your compensation, and your job security.  The less value you add to an organization, the greater your risk during one of the inevitable reorganizations or if your organization hits hard economic times.  It’s not the highly skilled individual contributors who are going to be marked for termination when costs have to be cut in an organization or the inevitable next reorganization comes along.

Let’s talk about two broad categories of private sector jobs.  The first I’ll talk about is the consulting world and then I’ll address corporate life.  I’m not going to directly talk about non-profit type organizations like where I work now because depending on how they are structured they can essentially act as a government organization or they can feel more like consulting or corporate. It depends on how their mission, funding, and management.

Let’s start with consulting.  Consulting can be an immensely rewarding experience that can greatly increases your knowledge, job satisfaction, and value or be a joyless dystopian hellscape where the living envy the dead not.  I’ve seen a couple golden eras of consulting during my time in the industry.  The first was the eDiscovery golden age that started roughly near the year 2000 and ended, the best I can tell, about the time of the financial crisis.  During this time, eDiscovery consulting organizations where shaking down corporations and law firms for confiscatory prices for providing eDiscovery services.  There were countless eDiscovery consulting firms spread across the land and they were desperate for consultants who they could put into the field and their labs so that they could crank out as many billable hours as they could get away with.  Life as a consultant during this time involved burning an immense number of hours traveling and collecting mountains of data.  The data was then brought back to some lab somewhere and either the same consultants or different consultants then processed and hosted the data for attorney review.   Since the primary billing model was consultant hours, consultants were basically just another commodity to be used up.  I saw a lot of burn out during this era and more than a few very unhappy police officers enter this space thinking they were going to be doing interesting digital forensics analytical work and catching bad guys when all they were doing was just endless grunt work slinging data around from one place to another.  If you were an eDisco manager during this era, your life was constant pressure to make sales goals, making sure your faceless commodities consultants were being fully utilized for billing purposes, and plenty of stuff that had nothing to do with chasing bad guys and solving digital forensics mysteries.

The golden age of eDiscovery went bust because the industry overplayed its hand and their customers starting to bring those services inside of their organizations. The result was quite a few of these consulting firms going out of business or being purchased by larger consulting firms that were better diversified and positioned to survive the bust. I also think the legal system generally just responded negatively to the high costs and how things were being done. Cost containment started to be a big deal in the legal world since even in an adversarial legal system everyone could see that the consultants were saddling up their customers and taking them for a very expensive ride. 

Another thing that really hurt the eDiscovery industry was the rise of the golden age of cyber security consulting that continues to this day.  The eDisco consulting industry faced increasing pressure from the cyber security consulting world for talent and customer money.  This golden area of cyber security consulting has been partially a response to the near impossibility of defending networks from persistent skilled attackers.  There have been legions of high-profile breaches and the rise of public disclosure laws has meant that many of these incidents end up in headlines that result in great financial loss, embarrassment, and senior executive careers coming to an end.  This has provided powerful incentive for organizations to greatly increase their cyber security capabilities which lead to an immense amount of money being thrown at cyber security consulting firms.

This golden age is meat on the table of enterprising and skilled law enforcement officers who are looking for their second career.  There are countless consulting firms who are looking for talented people to come help them serve their customers both by offering proactive services such as penetration testing and threat intelligence and reactive services such as helping them detect, respond, and remediate incidents.  Some of these firms are going to be nightmares to work for where your life will be similar to what I described above, but many others have learned that retaining critical talent requires providing a reasonable work-life balance, rewarding work, and a career path. 

This gets back into the point I made earlier about the more power you have in an organization, the more you can influence you have about the world around you.  One of the things I learned as a police officer is that trauma comes from lack of control. A great way to have a traumatic consulting experience is to have minimal technical skills and to land in a job where you’re traveling nearly constantly doing low-skilled grunt work.  The best way to have a rewarding consulting experience is to have in-demand job skills (and a security clearance is worth crazy bonus points in this space) where you are being used for high-end work that your employer can charge near-confiscatory prices to customers.

Which gets us to life in the corporate world.  In the consulting world, you’re generally going to be direct spend which means the money an organization puts into you is directly involved with the service that is being provided to a customer.  In the corporate world, you’re indirect spend.  You’re a necessary evil when the money that is spent on you doesn’t involve making or selling a product or service to a customer.  That’s the bad news.  The good news is that because we’re in this golden age of cyber security, corporations are just fine (for now) with this sort of indirect spending. I spent most of my career building and leading high-performance digital forensics and incident response teams for a couple Fortune 100 enterprises.  Landing on one of these teams can be a very rewarding experience as long as you do your homework and find a team and organization that is a good fit for your skills and temperament. 

Corporate digital forensics jobs can take several different forms but the primary tasks that you’ll see in the corporate world are also the same that are being offered up in the consulting world such as eDiscovery, threat intelligence, incident response, security operations, digital forensics, malware analysis, and the like.  That which is necessary in the cyber security world is either going to be brought in internally (which creates corporate positions) or purchased externally (which creates consulting positions) or a combination of both. 

Life in the corporate world will be more predictable that in the consulting world since corporate jobs tend to be more of a normal business offer hour situation with nights and weekends as necessary when things get busy.  There are some exceptions such as corporations that have 24/7 security operations centers that require shift work.  I don’t see too many people from the law enforcement world doing security operations shiftwork, but that isn’t to say that it can’t happen and those security operations roles can be very rewarding and educational.  I’ve seen many people start in security operation centers and used that time to build a skillset that led to very rewarding career paths.

I think one of the biggest shocks for law enforcement people going into the private sector is the concept that you are now a salaried employee and there is rarely such a thing as overtime or compensation time.  You’re expected to get your work done and that frequently involves working over 40 hours a week to do that.  You are also now competing with other people in your organization.  Remember what I said earlier about gaining power in an organization.  Having a reputation as someone who just does the minimum is a great way to undermine your corporate career even if you are a highly skilled person.  A good attitude and a strong work ethic will go a long way in the private world.

There is also another aspect of the private sector which is going out on your own and starting up your own business.  Frankly, this is one of the areas where I have the least amount of experience with and I think the best way to handle this will be for me to just pester someone to do an interview here on the blog.  If you have any suggestions on who you might want to see interviewed, let me know.

I’m at about 3,000 words on this blog post and I think I’ve covered a decent overview of life on the private side. I’ll still continue to address some specifics as the series progresses especially in the next blog post where I talk about what you should be doing as a law enforcement officer to prepare for life on the private side.

Sunday, February 18, 2018

Life After Law Enforcement: Do I Stay Or Do I Go?


I was working on a bunch of CFP responses recently and during that process I found one that was rejected (so, so bitter…) by a major digital forensics conference in 2013. I won't say the name of the conference but it rhymed with "CEIC 2013".

The write up that I submitted for the talk was:

"This PowerPoint-free presentation will provide law enforcement officers who are contemplating pursuing a career in private sector digital forensics with the information they need to prepare and be successful.  It will cover how to best prepare for a private sector career as well as the pros and cons of the different options available.  We will also talk about topics such as resume preparation, interview strategies and private sector compensation models."

Since I’m back in the blogging game, I’m just going to do this presentation as a series of blog posts.  From hell’s heart I stab at thee CEIC 2013 CFP approval committee…. unless you turned me down because I inexcusably didn’t use the oxford comma in my CFP. If that was the case, all if forgiven because I clearly deserved nothing better.

The first decision that law enforcement people need to make is the classic one asked by Mick Jones and company in the 1980s.  If and when to leave law enforcement depends on a myriad of personal and professional variables, but the general advice that I give police officers is simply this:  If you are happy and you know it, stay right there.

Taken as a whole, the grass isn’t greener in the private sector compared to the public sector. There are advantages and disadvantages, but if you’re happy doing what you are doing and the compensation and benefits are working for your family, there isn’t any reason to bail out. I’ve seen plenty of people regret leaving law enforcement chasing money because they had a pile of cash dangled in front of them.  In some cases, I’ve seen people return back to law enforcement after spending time in the private sector and there isn’t anything wrong with that.

Money certainly can be a compelling reason to head off to the private sector especially if it’s in such an amount that will change the lives of your family and what you can provide them, but you also have to look at the total compensation package because there is more to compensation than just salary.  For example, many private sector health plans are much less robust than what one can get in the public sector.  High-deductible plans with high monthly premiums have been a trend in the private sector and can eat up quite a bit of that sack of cash you were offered.   It’s also very important to keep in mind that most private sector jobs in the digital forensics world are going to be salaried positions where you aren’t eligible for overtime and comp time even if you traveling and working long hours sometimes during nights, weekends, and holidays.

What I tell people is if they are happy in law enforcement, the private sector will still be around when they decide it’s time for different challenges.  It’s not that I tell people that they shouldn’t cross over, but that doing it to primarily to chase money when they are otherwise happy in their work is likely a bad idea. The bottom line is that if you are chasing money and making that the primary focus of your decision to leave, you could very easily find yourself in a situation where you are making better money, but you are profoundly unhappy. It’s not worth it.

All of that said, I’ve known many people who have left law enforcement either early in their career or after a fully-vested retirement who have been very happy with their decision and thrived in the private sector.  I’ve mentored and even hired many of these people over the years. Some of the greatest people in the industry have been people who have left law enforcement for the private sector.

The people who I’ve seen most happy with their decisions to leave law enforcement were the ones who felt that they had hit a plateau in their careers and felt stagnated and unhappy in their current role.  These tend to be people who want to do more and learn more than they can in their law enforcement job so the idea of greater challenges, an actual career path, and more money makes for a compelling reason for them to make the move.

The career path aspect has been one of my greatest recruiting tools as a hiring manager. Stupid work rules are meat on my table when I come looking to lure some unhappy law enforcement border collie over to the private sector.  I adore dumb work rules such as ones that prevent skilled digital forensics officers from getting promoted unless they’re willing to go back to patrol or, even worse, the jail. Dumbness like this has been one of the greatest recruiting tools I’ve been given by the government sector. From the bottom of my heart to the improvident lackwits who came up with these ideas, thank you.

My advice is if you are considering making the move, you should start talking to people who have already made the move, people who have left and come back, and to as many hiring managers in the private sector as you can.  The networking that you’ll be doing will also help in landing that private sector job if that is the path you choose. 

Even if you aren’t considering making the move yet, one of the best bits of career advice that I ever received was that you should always be preparing for the next job even if you aren’t actively looking for the next job. It’s smart to give yourself as many options as you can even if you are happy in your present situation.

The next part in the series will be a blog post that covers the pros and cons of various private sector options.  As the series progresses, I’ll cover things such as networking, training, certifications, interviewing, resumes, formal education, and more.  If you have questions that you would like to have answered, you can reach me through the usual communications methods I have listed on the blog.